Four-Faith Router adjust_sys_time command injection

Added: 01/03/2025

Background

Four Faith F3x24 is a wifi industrial router. F3x36 is an LTE wireless router.

Problem

A default password and command injection vulnerability in the adjust_sys_time function in the F3x24 and F3x36 routers could allow an attacker to execute arbitrary commands.

Resolution

Change the default password and contact Four-Faith for patch information.

References

https://vulncheck.com/blog/four-faith-cve-2024-12856

Limitations

The target device must have the default password in order for this exploit to succeed.
Back to exploit index